Checkmarx One vs SonarQube comparison

You must select at least 2 products to compare!
Checkmarx Logo
34,421 views|22,385 comparisons
86% willing to recommend
Sonar Logo
53,062 views|42,374 comparisons
81% willing to recommend
Comparison Buyer's Guide
Executive Summary
Updated on Sep 14, 2023

We performed a comparison between SonarQube and Checkmarx based on our users’ reviews in four categories. After reading all of the collected data, you can find our conclusion below.

  • Ease of Deployment: SonarQube's setup is generally considered straightforward, with users finding it simple and quick. Some users said that Checkmarx is easy to set up, while others faced difficulties. Proper documentation and a dedicated team helped make the process smoother.   
  • Features: Most SonarQube reviewers mentioned how easy it is to integrate with other products. Checkmarx reviewers noted the benefits of the solution’s application security, scanning, and tracking.
  • Room for Improvement: SonarQube should enhance management reports, improve the scanning process, and expand language support. Checkmarx has room to improve in terms of its REST APIs, vulnerability scanning accuracy, and integration with third-party software. 
  • Pricing: Most SonarQube reviewers feel satisfied with the pricing, especially with its free Community Edition. .Checkmarx reviewers say it is expensive.
  • Service and Support: Some reviewers of SonarQube feel that support leaves room for improvement. Most reviewers of Checkmarx are satisfied with the support levels but would like faster response times. 

Comparison Results: Both solutions have intuitive interfaces and are easy to use. However, Checkmarx offers a more comprehensive feature set, including software composition scanning and a higher number of vulnerabilities detected. Checkmarx also provides better language support and more advanced reporting capabilities. SonarQube has a simpler pricing model and is generally considered more affordable. SonarQube focuses strongly on code quality and offers better integration with DevOps pipelines. The customer service and support experiences for both products vary, with some users praising the support and others reporting negative experiences.

To learn more, read our detailed Checkmarx One vs. SonarQube Report (Updated: May 2024).
772,277 professionals have used our research since 2012.
Q&A Highlights
Question: Checkmarx vs SonarQube; SonarQube interoperability with Checkmarx or Veracode
Answer: My opinions are my own and do not represent any other entities that I may be or have been affiliated with.  On this topic I think it is important to acknowledge that no matter which solution you go for you will have false positives. I don't think there will be any solution that properly solves this anytime soon.  As for Checkmarx vs SonarQube...  Checkmarx may cover more rules over a wider landscape, however I personally found this extra breadth covered outlyer rules and mostly lower priority issues. Both Checkmarx and SonarQube cover the OWASP top 10 and Sans25. Both tools can be tuned to help reduce false positives, for both you will need to analyse your tuning to ensure you are not introducing false negatives. Any tools that provide you customisation come with the risk that you could make things worse.  SonarQube has very good integration into most development IDEs empowering the engineers to run scans against the company rules on their local machine before submitting your source control and further tooling. In some it will even check the code automatically while you type it.  I see you also included Veracode in here. In my opinion that is a far superior tool to Checkmarx, this is down to their more modern approach to this problem. They also allow local developer integration to self lint code before submission.  In a perfect world, I would use Sonar for development bugs, test coverage and technical debt measurements. Then veracode to handle the SAST side for me. In short I would not duplicate the security scans in Sonar and Veracode.  Hope that helps
Featured Review
Quotes From Members
We asked business professionals to review the solutions they use.
Here are some excerpts of what they said:
"It can integrate very well with DAST solutions. So both of them are combined into an integrated solution for customers running application security.""The most valuable feature for me is the Jenkins Plugin.""The administration in Checkmarx is very good.""The solution is scalable, but other solutions are better.""The main advantage of this solution is its centralized reporting functionality, which lets us track issues, then see and report on the priorities via a web portal.""The setup is fairly easy. We didn't struggle with the process at all.""The most valuable feature is that it actually identifies the different criteria you can set to meet whatever standards you're trying to get your system accredited for.""The user interface is excellent. It's very user friendly."

More Checkmarx One Pros →

"The solution's user interface is very user-friendly.""We have the software metrics that SonarQube gives us, which is something we did not have before. This helps us work towards aiming coding standards to empower us to move in the direction of better code quality. SonarQube provides targets and metrics for that.""It's a great product. If you are in a hurry and just want to focus on the functional requirements of any kind of project, SonarQube is highly helpful. It enables the developers to code securely. SonarQube has a Community edition, which is open source and free. There are also three proprietary or paid versions: Enterprise edition, Data Center edition, and Developer edition.""It is a good deal compared to all other tools on the market.""We are using the Community edition. So, we don't have to incur any licensing costs. This is the best part.""It is a very good tool for analysis and security vulnerability checking.""The product is simple.""SonarQube is useful for controlling all of our Azure task tracking and scanning."

More SonarQube Pros →

"If it is a very large code base then we have a problem where we cannot scan it.""The validation process needs to be sped up.""Checkmarx has a slightly difficult compilation with the CI/CD pipeline.""C, C++, VB and T-SQL are not supported by this product. Although, C and C++ were advertised as being supported.""They can support the remaining languages that are currently not supported. They can also create a different model that can identify zero-day attacks. They can work on different patterns to identify and detect zero-day vulnerability attacks.""The interactive application security testing, or IAST, the interactive part where you're looking at an application that lives in a runtime environment on a server or virtual machine, needs improvement.""With Checkmarx, normally you need to use one tool for quality and you need to use another tool for security. I understand that Checkmarx is not in the parity space because it's totally different, but they could include some free features or recommendations too.""Integration into the SDLC (i.e. support for last version of SonarQube) could be added."

More Checkmarx One Cons →

"SonarQube needs to improve its support model. They do not work 24/7, and they do not provide weekend support in case things go wrong. They only have a standard 8:00 am to 5:00 pm support model in which you have to raise a support ticket and wait. The support model is not effective for premium customers.""New plug-ins should be integrated into SonarCloud to give more flexibility to the product.""Lacks sufficient visibility and documentation.""The pricing could be reduced a bit. It's a little expensive.""I would like to see improvements in defining the quality sets of rules and the quality to ensure code with low-performance does not end up in production.""The interface could be a little better and should be enhanced.""There are limitations to the free version that limit development options as far as languages.""I am not very pleased with the technical debt computation."

More SonarQube Cons →

Pricing and Cost Advice
  • "It is the right price for quality delivery."
  • "I believe pricing is better compared to other commercial tools."
  • "The pricing was not very good. This is just a framework which shouldn’t cost so much."
  • "The pricing is competitive and provides a lower TCO (total cost of ownership) for achieving application security."
  • "It is a good product but a little overpriced."
  • "The license has a vague language around P1 issues and the associated support. Make sure to review these in order to align them with your organizational policies."
  • "​Checkmarx is not a cheap scanning tool, but none of the security tools are cheap. Checkmarx is a powerful scanning tool, and it’s essential to have one of these products."
  • "We got a special offer for a 30% reduction for three years, after our first year. I think for a real source-code scanning tool, you have to add a lot of money for Open Source Analysis, and AppSec Coach (160 Euro per user per year)."
  • More Checkmarx One Pricing and Cost Advice →

  • "This is open source."
  • "We did not purchase a license (required for C++ support), but this option was considered."
  • "Get the paid version which allows the customized dashboard and provides technical support."
  • "People can try the free licenses and later can seek buying plugins/support, etc. once they started liking it."
  • "This product is open source and very convenient."
  • "The licence is standard open source licensing"
  • "The price point on SonarQube is good."
  • "Some of the plugins that were previously free are not free now."
  • More SonarQube Pricing and Cost Advice →

    Use our free recommendation engine to learn which Application Security Tools solutions are best for your needs.
    772,277 professionals have used our research since 2012.
    Answers from the Community
    William Hayes
    Swapna Ragi - PeerSpot reviewerSwapna Ragi
    Real User

    SonarQube depends on completely what you configure the Rules. You will have the option of the Profile creation and can be assigned to the Projects. If you configure the project --> under them services configuration it is good to go. Proper configuration is important in the Sonat Qube. Yes, Sonarqube allows developers to delint their code before SAST.

    Veracode recently introduced it. But this integration at developer Machine integration available for only JAVA coded Projets.

    About the Vulnerability coverage, both are the same. OWASP TOP 10 is equal to Sans 25. sans25 is categorized with one category number and describes under that subsection. Refer to this.

    Durga Gudimetla - PeerSpot reviewerDurga Gudimetla
    Real User

    SonarQube can be used for SAST. However, based on our internal analysis, our team feel CheckMarx is better suited for Security compared to SonarQube. SoanrQube is used in day to day developer code scan and Checkmarx is used during code movement to staging or during release.

    Questions from the Community
    Top Answer:I would like to recommend Checkmarx. With Checkmarx, you are able to have an all in one solution for SAST and SCA as well. Veracode is only a cloud solution. Hope this helps.
    Top Answer:Compared to the solutions we used previously, Checkmarx has reduced our workload by almost 75%.
    Top Answer:The solution's price is high and you pay based on the number of users.
    Top Answer:I am not very familiar with SonarQube and their solutions, so I can not answer But if you are asking me about which tools that are the best for for Static Code Analysis, I suggest you have  a look… more »
    Top Answer:SonarQube is easy to deploy and configure, and also integrates well with other tools to do quality code analysis. SonarQube has a great community edition, which is open-source and free. Easy to use… more »
    Top Answer:We researched Coverity, but in the end, we chose SonarQube. SonarQube is a tool for reviewing code quality and security. It helps to guide our development teams during code reviews by providing… more »
    Average Words per Review
    Average Words per Review
    Veracode logo
    Compared 13% of the time.
    Fortify on Demand logo
    Compared 6% of the time.
    Snyk logo
    Compared 4% of the time.
    Coverity logo
    Compared 3% of the time. logo
    Compared 2% of the time.
    SonarCloud logo
    Compared 13% of the time.
    Coverity logo
    Compared 11% of the time.
    Veracode logo
    Compared 10% of the time.
    Snyk logo
    Compared 6% of the time.
    Also Known As
    Learn More
    Interactive Demo
    Demo Not Available

    Checkmarx One is an enterprise cloud-native application security platform focused on providing cross-tool, correlated results to help AppSec and developer teams prioritize where to focus time and resources.

    Checkmarx One offers comprehensive application scanning across the SDLC:

    • Static Application Security Testing (SAST)
    • Software Composition Analysis (SCA)
    • API security
    • Dynamic Application Security Testing (DAST)
    • Container security
    • IaC security
    • Correlation, prioritization, and risk management
    • Codebashing secure code training
    • AI security
    • Tech partnerships extending AppSec into runtime analysis
    • Developer tool integrations including: CI/CD tools, development frameworks, feedback tools, IDEs, programming languages and SCMs

    Checkmarx One provides everything you need to secure application development from the first line of code through deployment and runtime in the cloud. With an ever-evolving set of AppSec engines, correlation and prioritization features, and AI capabilities, Checkmarx One helps consolidate expanding lists of AppSec tools and make better sense of results. Its capabilities are designed to provide an improved developer experience to build trust with development teams and ensure the success of your AppSec program investment.

    SonarQube is a self-managed open-source platform that helps developers create code devoid of quality and vulnerability issues. By integrating seamlessly with the top DevOps platforms in the Continuous Integration (CI) pipeline, SonarQube continuously inspects projects across multiple programming languages, providing immediate status feedback while coding. SonarQube’s quality gates become part of your release pipeline, displaying pass/fail results for new code based on quality profiles you customize to your company standards. Following Sonar’s Clean as You Code methodology guarantees that only software of the highest quality makes it to production.

    At its core, SonarQube includes a static code analyzer that identifies bugs, security vulnerabilities, hidden secrets, and code smells. The platform guides you through issue resolution, fostering a culture of continuous improvement. SonarQube’s comprehensive reporting is a valuable tool for dev teams to monitor their codebase's overall health and quality across multiple projects in their portfolio. With SonarQube, you can achieve a state of Clean Code, leading to secure, reliable, and maintainable software.

    Sonar is the only solution combining the power of industry-leading software quality analysis with static application security testing (SAST) and real-time coding guidance in the IDE (with SonarLint) to meet the DevOps and DevSecOps demand of putting agility, automation, and security in the hands of developers. Further accelerate DevOps continuous integration by helping developers find and fix issues in code before the software testing stage, reducing the churn of finding, fixing, rebuilding, and retesting your app.

    With over 5,000 Clean Code rules, SonarQube analyzes 30+ of the most popular programming languages, including dozens of frameworks, the top DevOps platforms (GitLab, GitHub, Azure DevOps, and Bitbucket, and more), and the leading infrastructure as code (IaC) platforms.

    SonarQube is the most trusted static code analyzer used by over 7 million developers and 400,000 organizations globally to clean over half a trillion lines of code.

    Sample Customers
    YIT, Salesforce, Coca-Cola, SAP, U.S. Army, Liveperson, Playtech Case Study: Liveperson Implements Innovative Secure SDLC
    Top Industries
    Computer Software Company31%
    Financial Services Firm19%
    Comms Service Provider9%
    Manufacturing Company9%
    Financial Services Firm21%
    Computer Software Company15%
    Manufacturing Company9%
    Insurance Company5%
    Computer Software Company30%
    Financial Services Firm20%
    Comms Service Provider7%
    Manufacturing Company7%
    Financial Services Firm17%
    Computer Software Company15%
    Manufacturing Company12%
    Company Size
    Small Business38%
    Midsize Enterprise13%
    Large Enterprise50%
    Small Business17%
    Midsize Enterprise12%
    Large Enterprise71%
    Small Business25%
    Midsize Enterprise16%
    Large Enterprise59%
    Small Business17%
    Midsize Enterprise13%
    Large Enterprise70%
    Buyer's Guide
    Checkmarx One vs. SonarQube
    May 2024
    Find out what your peers are saying about Checkmarx One vs. SonarQube and other solutions. Updated: May 2024.
    772,277 professionals have used our research since 2012.

    Checkmarx One is ranked 3rd in Application Security Tools with 67 reviews while SonarQube is ranked 1st in Application Security Tools with 112 reviews. Checkmarx One is rated 7.6, while SonarQube is rated 8.0. The top reviewer of Checkmarx One writes "The report function is a great, configurable asset but sometimes yields false positives". On the other hand, the top reviewer of SonarQube writes "Easy to integrate and has a plug-in that supports both C and C++ languages". Checkmarx One is most compared with Veracode, Fortify on Demand, Snyk, Coverity and, whereas SonarQube is most compared with SonarCloud, Coverity, Veracode, Snyk and GitHub Advanced Security. See our Checkmarx One vs. SonarQube report.

    See our list of best Application Security Tools vendors and best Static Application Security Testing (SAST) vendors.

    We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.